Privacy (VMware)

Background

The goal of this project was to educate end users about how their data and devices are protected by AirWatch, address their privacy concerns and increase transparency. This project was undertaken because there were growing concerns about whether AirWatch and other MDM solutions are like Big Brother, which were affecting end user adoption.

I have omitted and obfuscated confidential information on this page to comply with my non-disclosure agreement, and the content does not necessarily reflect the views of VMware.

The premise

VMware AirWatch is an Mobile Device Management (MDM) solution. It can be installed on corporate and personal devices to access company resources such as email, documents and productivity apps.

When companies tell their employees to install AirWatch on their phones to access company email, it also means that their devices will be managed. This was causing concern amongst employees (our end users) and raising questions.

“What can my manager see? Will my company know which apps I have on my phone? Can my company see my pictures or my browsing history?”

Understandably, employees were nervous about downloading AirWatch on their devices due to fear of being watched by their employers.

News articles expressing concern about MDM services

Exploratory Research

Our user experience (UX) team set out to address the issue of how end users perceive tools like AirWatch being installed on their devices, particularly personal devices for BYOD use cases.We started by asking how people felt about installing AirWatch on their phone.

We realized much of the stigma associated with installing AirWatch came from a lack of knowledge about what AirWatch actually does.

Goals

Based on the feedback from users, the goals of the project became clearer.

This effort coincided with VMware's Privacy First initiative. The goals of these efforts were to improve how privacy policies are structured and to provide accurate information to end users at every step of the way.

Privacy First

Privacy policies are usually text-based, full of legal jargon. They are difficult to quickly scan through and parse for information most relevant to you. However, we did not want to replace the existing privacy policy. We were designing for the enterprise, where legal documents are necessary and irreplaceable.

Upon further analysis, I defined what we wanted to do is design a new, visual AirWatch privacy policy. Here are some of the considerations for the new view:

Be easy to read and understand.

Be interactive and engaging for end users.

Answer common questions before they were asked.

Be customizable to the user reading it, since every company and every device type could have different data collected or monitored based on their configurations.

Initial Designs

Based on the conversations we had, I sketched our initial concepts. I wanted to start with a positive message and visuals inviting the users to interact with the privacy policy. In this exercise I decided to focus on two main things:

What AirWatch could do with the device (such as sending notifications and resetting passwords).

Design Reviews

The Big Four

Next, I conducted design reviews with AirWatch employees and found that it was better to chunk information together.

What AirWatch collects depends on a company’s policies and administrator, so some companies may collect information such as GPS but others may not. If a company does not collect this information, it was better not to show it at all.

I also found that most users are only interested in the “Big Four”. This was a name we gave to four pieces of data which were most important to end users: Browsing History, Text Messages, Photos and Personal Email. It was very important to inform users that AirWatch could not monitor any of these.

High-Fidelity Prototype

Next, I worked with the visual designer on this project to create some high-fidelity prototypes. During this phase we worked on the visual language to keep the tone and feel as friendly, open and approachable as possible.

Improvements from A/B Testing

Once we completed our prototype, I conducted some A/B tests with AirWatch employees to evaluate two variations. The major finding from this test was that notifying users that AirWatch does not collect the Big Four was imperative.

Although we explicitly showed users what data is collected, doubts about whether pictures or personal messages are collected were not assuaged. We decided to go with version B where we also included a “What we cannot see” section since that told users explicitly what is seen and also what isn't.

Results from Field Testing

I went out in the field to conduct tests with people in cafes with the aim of determining when users would like to see this information in the overall enrollment process. Participants went through the entire process with me, from being informed that they need to install AirWatch on their phones through an email from their company to installing the AirWatch agent. I noted their questions and concerns at each stage, and found that concerns usually arose right at the beginning of the process.

In our final implementation, employees can see their customized privacy policy online when they receive that first email from their companies. Questions need to be addressed once they enroll, too, so a web clip with the privacy policy is installed on the device.

Impact

Privacy First was announced in the VMware AirWatch Connect conference in September 2015 with a live preview of the designs, one of the biggest announcements at the conference. Our privacy policy was launched along with What is AirWatch as a complete solution in February 2016.

Closing Thoughts

Designing the AirWatch privacy policy was challenging, because of how little information we had and the tight deadline we were working on. However, it was very rewarding to address the end users of an enterprise service.

This was also one of the first projects where our design team conducted in-depth user research along with multiple usability tests, which influenced the design process every step of the way. It also helped our leadership see the value in allowing the design team with access to our end users to deliver better quality products.